[GH-ISSUE #290] Make the output of `mkcert <name>` less alarming and more explanatory #186

New issue

Closed

opened 2026-02-25 22:32:49 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 22:32:49 +03:00

Owner

Originally created by @maudnals on GitHub (Sep 8, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/290

Hey @FiloSottile! As discussed:

Current behaviour

When running mkcert <name> without prealably running mkcert -install, warnings are displayed.
Example when running mkcert localhost:

Using the local CA at "/Users/maudn/Library/Application Support/mkcert" ✨
Warning: the local CA is not installed in the system trust store! ⚠️
Run "mkcert -install" to avoid verification errors ‼️

Created a new certificate valid for the following names 📜
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

Issue with the current behaviour

Warning, ... avoid verification errors !! and the red color of the !! may look alarming and make users think that something is wrong and that they have to run mkcert -install for their certificates to be properly generated.
When in fact, running mkcert <name> successfully creates a self-signed certificate, which is just fine for some use cases.
We may want to prevent a developer from running mkcert -install as a "quick fix" without having the implications in mind.
But the warning definitely is useful to developers planning on using a local root CA.

New behaviour: proposal

Output when the user runs mkcert <name> e.g. mkcert localhost (surely this needs rewording, but something along these lines maybe:):

Created a new certificate valid for the following names 📜
 - "localhost"
The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

Local CA at "/Users/maudn/Library/Application Support/mkcert" but *not* installed.

⚠️ Warning: the certificate will appear as self-signed to browsers because the local CA 
is not installed in the system trust store. 
Browsers may display warnings when using this certificate.
• If this sounds OK, you can proceed.
• If you need a certificate that looks fully valid to browsers, run "mkcert -install" to 
install the local CA in the system trust store.

Originally created by @maudnals on GitHub (Sep 8, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/290 Hey @FiloSottile! As discussed: ### Current behaviour When running `mkcert <name>` without prealably running `mkcert -install`, warnings are displayed. Example when running `mkcert localhost`: ``` Using the local CA at "/Users/maudn/Library/Application Support/mkcert" ✨ Warning: the local CA is not installed in the system trust store! ⚠️ Run "mkcert -install" to avoid verification errors ‼️ Created a new certificate valid for the following names 📜 - "localhost" The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅ ``` ### Issue with the current behaviour `Warning`, `... avoid verification errors !!` and the red color of the `!!` may look alarming and make users think that something is wrong and that they _have_ to run `mkcert -install` for their certificates to be properly generated. When in fact, running `mkcert <name>` successfully creates a self-signed certificate, which is just fine for some use cases. We may want to prevent a developer from running `mkcert -install` as a "quick fix" without having the implications in mind. But the warning definitely is useful to developers planning on using a local root CA. ### New behaviour: proposal Output when the user runs `mkcert <name>` e.g. `mkcert localhost` (surely this needs rewording, but something along these lines maybe:): ``` Created a new certificate valid for the following names 📜 - "localhost" The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅ Local CA at "/Users/maudn/Library/Application Support/mkcert" but *not* installed. ⚠️ Warning: the certificate will appear as self-signed to browsers because the local CA is not installed in the system trust store. Browsers may display warnings when using this certificate. • If this sounds OK, you can proceed. • If you need a certificate that looks fully valid to browsers, run "mkcert -install" to install the local CA in the system trust store. ```